System Hacking: gaining access

Questions and Answers

Which of the following best describes the primary goal of system hacking?

• To gain unauthorized access to a target system. (correct)
• To disrupt network services for a short period.
• To identify and report system vulnerabilities to the vendor.
• To encrypt sensitive data on a system for ransom.

Which of the following Windows components stores user passwords in a hashed format?

• The Security Account Manager (SAM) database (correct)
• The Active Directory schema
• The Group Policy Objects (GPO)
• The Windows Registry

Which authentication protocol is used by default in modern Windows systems for stronger client/server authentication?

• NTLM
• challenge-response
• Kerberos (correct)
• LAN Manager (LM)

What is the primary function of the SYSKEY function in relation to the SAM file in Windows NT 4.0 and later?

To partially encrypt the password hashes within the SAM file. (C)

What is the main characteristic of a 'non-electronic' password attack?

It relies on social interaction or observation to obtain passwords. (B)

What type of password attack does the tool pwdump7 facilitate?

Extracting password hashes from a SAM database. (A)

Which of the following password attacks involves an attacker intercepting and relaying NTLM authentication requests between a client and a server?

NTLM Relay Attack (D)

In the context of Kerberos authentication, what component serves as a trusted third party to verify user identities?

Key Distribution Center (KDC) (B)

What is the main characteristic of Rainbow Table Attacks?

They use pre-computed hashes to recover passwords. (C)

What is the primary method by which attackers exploit the 'Do not require Kerberos preauthentication' setting in an Active Directory environment?

By extracting and cracking the ticket granting ticket (TGT). (B)

Which of the following attacks involves attempting a single commonly used password across multiple user accounts before moving to the next password?

Password spraying attack (B)

Which type of attack involves the attacker obtaining some information about the password, such as knowing the password contains a two-digit number?

Rule-based attack (A)

What is the purpose of a 'mask attack' in password cracking?

To narrow down the list of possible passwords by using a pattern. (A)

In an NTLM authentication process, what is the purpose of the 'nonce' sent by the domain controller to the client computer?

To provide a random string that the client must encrypt with the user password hash. (A)

What underlying aspect of human behavior does social engineering exploit to gain unauthorized access?

Trusting nature of people (B)

Which of the following tools can be used to perform password attacks such as brute-force attacks, dictionary attacks, and mask attacks?

Hashcat (A)

How do attackers exploit Single-Sign-On (SSO) in Windows environments during a hash injection/Pass-the-Hash (PtH) attack?

Inject a compromised LAN Manager (LM) or NTLM hash into a local session. (B)

What is the primary objective of attackers employing LLMNR/NBT-NS poisoning techniques within a network?

To collect NTLMv2 hashes for cracking or relaying. (D)

What is the primary purpose of 'dumpster diving' as a system hacking technique?

To collect sensitive information from discarded materials. (B)

During a password change operation in newer Windows versions, what value does the SAM file store for LM hashes if LM hashes are disabled?

A 'dummy' value. (B)

In the context of system security, what does the term 'shoulder surfing' refer to?

Observing someone entering their password. (D)

Why are dictionary attacks generally more effective than brute-force attacks?

Dictionary attacks use a list of words commonly used as passwords. (D)

What is the primary goal of using Trojans/Spyware/Keyloggers in system hacking?

To capture user credentials and sensitive information. (A)

Which of the following is a type of password attacks that does not lead to any changes in the system but passively monitor or record the data passing over the communication channel?

Passive Online Attacks (B)

What are the two main elements of Windows OS used to perform name resolution for hosts present on the same link?

LLMNR and NBT-NS (D)

During which phase of system hacking is password cracking typically employed?

Gaining access (C)

What is a common mitigation against password spraying attacks?

Enforcing multi-factor authentication. (C)

Which type of attack is similar to brute-force attacks but recovers passwords from hashes with a more specific set of characters based on information known to the attacker?

Mask attack (C)

What is the purpose of using custom charsets in hashcat?

To define the type of characters for brute-forcing passwords. (C)

Why is encrypting the nonce with a user password hash in the NTLM authentication process important?

To verify that the client computer knows the user's password. (D)

In the context of password guessing, which strategy would BEST improve an attacker's chances of success?

Finding and targeting known default accounts. (C)

What is the primary advantage of using tools like thc-hydra for password attacks?

The tool allows attackers to use different options on how to attack with logins and passwords. (B)

What is the initial step when performing dictionary attack using John the Ripper?

Download wordlist rockyou.txt. (D)

Flashcards

Password Cracking

The process of recovering passwords from data transmitted or stored within a system.

Non-Electronic Attack

A password attack not needing technical skills; methods include social engineering.

Active Online Attack

When attacker communicates directly with target to gain access.

Passive Online Attack

Attack that doesn't alter system, attacker monitors.

Offline Attack

Attacker recovers clear text passwords from hash dumps.

Shoulder Surfing

Technique of stealing passwords by watching users enter them.

Dumpster Diving

Key attack method using trash to find sensitive information.

Dictionary attack

A file loaded into a cracking app that runs against user accounts.

Brute-Force Attack

A program tries every character combination.

Rule-Based Attack

Used when the attacker has some info about the password.

Password Spraying Attack

Targets mult. user accounts simultaneously using one set of passwords.

Pass the Ticket

Technique for authenticating a Kerberos user without the password.

NTLM Relay Attack

Involves intercepting and relaying NTLM auth requests.

Microsoft Authentication

Hashes stored in Windows SAM or Active Directory DB.

NTLM Authentication

Default authentication using challenge/response.

Kerberos Authentication

Network authentication via secret-key crypto.

Security Accounts Manager (SAM)

Windows DB to manage user accounts.

Study Notes

• System hacking is a critical goal for attackers, involving techniques like footprinting, scanning, enumeration, and vulnerability analysis.
• The focus will be on tools and techniques attackers use to compromise systems.
• The key objectives are to explain access techniques, apply privilege escalation, maintain remote access, understand rootkits, use steganography, hide evidence, and implement countermeasures.

Gaining Access

• The CEH hacking methodology (CHM) includes attacker steps that will be discussed.
• The primary step involves attackers using various techniques to gain access to the target system.
• These techniques involve cracking passwords, exploiting buffer overflows, and exploiting identified vulnerabilities.

Microsoft Authentication: How Hash Passwords Are Stored in Windows SAM?

• Windows stores user passwords in the Security Account Manager (SAM) or Active Directory database, always hashed, never as clear text.
• Tools such as pwdump7, Mimikatz, DSInternals, Hashcat, and PyCrack are used to extract the password hashes.
• pwdump7 extracts LM and NTLM password hashes from the SAM database.

Microsoft Authentication: NTLM Authentication Process

• NTLM has two authentication protocol types: NTLM authentication and LM authentication protocol.
• These protocols store the user's password in the SAM database using different hashing methods which will be discussed.
• Windows runs the password through a hash algorithm for authentication.
• The steps in the NTLM process include the client sending a login request, the DC sending a challenge, the client encrypting it and sending it back, and the DC comparing.

Microsoft Authentication: Kerberos Authentication

• Microsoft upgraded its default authentication protocol to Kerberos, which offers stronger security than NTLM.
• Steps include the user requesting authentication from the AS, the AS granting a ticket, the client requesting service from the TGS, and access being granted to the application server.

Cracking Passwords: Microsoft Authentication

• Steps are performed for user authentication using three mechanisms provided by Microsoft.
• Windows uses the Security Accounts Manager (SAM) database or Active Directory Database to manage user accounts and passwords in hashed format.
• The system does not store passwords in plaintext format but in a hashed format, to protect them from attacks.
• The SAM database is implemented as a registry file, and the Windows kernel obtains and keeps an exclusive filesystem lock on it for security.
• Attackers can dump the on-disk contents of the SAM file using various techniques to make password hashes available for offline brute-force attacks.
• The SAM file uses an SYSKEY function (in Windows NT 4.0 and later versions) to partially encrypt the password hashes.

NTLM Authentication

• NT LAN Manager (NTLM) is a default authentication scheme.
• It performs authentication using a challenge/response strategy and does not rely on any official protocol specification.
• NTLM has two protocols: NTLM authentication protocol and LAN Manager (LM) authentication protocol.
• These protocols use different hash methodologies to store user’s passwords in the SAM database.

Kerberos Authentication

• Kerberos is a network authentication protocol that provides strong authentication for client/server applications through secret-key cryptography.
• Kerberos is a network authentication protocol that provides strong authentication for client/server applications through secret-key cryptography.
• The messages are protected against replay attacks and eavesdropping.
• The Key Distribution Center (KDC) contains an authentication server (AS) and a ticket-granting server (TGS).

How Hash Passwords Are Stored in Windows SAM?

• Windows stores user passwords in the SAM database file, located at %SystemRoot%\system32\config\SAM.
• Windows mounts the SAM file in the registry under HKEY_LOCAL_MACHINE\SAM.
• The system stores LM or NTLM hashed passwords.
• NTLM superseded LM hash, but new versions of Windows still support LM hashes for backward compatability.
• Tools like pwdump7 extract password hashes from the SAM database.
• pwdump7 extracts LM and NTLM password hashes of local user accounts from the SAM database.

NTLM Authentication Process

• NTLM involves challenge-response authentication (LM, NTLMv1, NTLMv2) with varying encryption levels.
• The client and server negotiate the authentication protocol using the Microsoft-negotiated Security Support Provider (SSP).
• Microsoft recommends Kerberos as its default authentication protocol because of its stronger authentication for cleint/server applicaitons.

Password Cracking

• Password cracking is recovering passwords from stored or transmitted data in a computer system.
• It can help users recover lost passwords and system administrators check for vulnerabilities.
• Attackers also use password cracking to gain unauthorized system access.
• Password-cracking techniques are often successful due to typically weak of guessable passwords.

Types of Password Attacks

• Non-Electronic Attacks: The attacker requires no technical knowledge.
• Active Online Attacks: The attacker directly communicates with the victim’s machine.
• Passive Online Attacks: The attacker does not interacts with the authorizing party when cracking passwords.
• Offline Attacks: The attacker copies the password file and cracks passwords on own system.

Non-Electronic Attacks

• Social engineering, shoulder surfing, and dumpster diving are the three types of non-electronic attacks.
• Social engineering exploits human behavior to gain information.
• Employees may sometimes not value the information they possess.
• The best defense is to educate, train, and create awareness about this attack and the value of information.

Shoulder Surfing

• Shoulder surfing is a technique that steals passwords by watching users enter them.
• The attacker looks at the keyboard or screen as the user logs in.
• This attack can occur in checkout lines at stores when users enter PINs.

Dumpster Diving

• Dumpster diving involves searching through trash to find sensitive information.
• Attackers can find documents, discarded media with password files, manuals, reports, and credit card numbers.
• The information gathered can be used to perform other attacks, such as social engineering.

Active Online Attacks: Dictionary, Brute-Force, and Rule-based Attack

• A dictionary file is loaded into the cracking application that runs against user accounts in dictionary attacks.
• The program tries every combination of characters until the password is broken in brute-force attacks.
• The attacker gets some information about the password in rule-based attacks.

Acrive Online Attacks: Peform Dictionary and Brute-Force Attack

• The rockyou.txt wordlist should be found in the /usr/share/wordlist directory, but can also be downloaded from GitHub.
• Run command to generate a customized password.
• The following John the Ripper command should be run to start cracking NTLM hashes.

Active Online Attacks: Hash Injection/Pass-the-Hash (PtH) Attack

• The Pth attack injects a compromised hash into a local session and validates network resources.
• The extracted hash is used by attackers to log on to the domain controller.

Active Online Attacks: LLMNR/NBT-NS Poisoning

• LLMNR and NBT-NS are Windows OS elements used for host name resolution on the same link.
• The attacker cracks the NTLMv2 hash obtained from the victim’s authentication process.
• The extracted credentials are used to log on to the host system in the network.

AS-REP Roasting (Cracking TGT)

• The attackers target users that have the "Do not require Kerberos preauthentication" option enabled.
• Attackers extract ticket granting ticket (TGT) and cracks it to obtain user passwords, with the obtained user passwords.
• The attack allows the attackers to gain illegal access, move laterally within the network, and escalate privileges.

Password Spraying Attack

• This involves targeting multiple user accounts with a common password set, exploiting account lockout policies.
• It can be performed through ports like MSSQL (1433/TCP), SSH (22/TCP), FTP (21/TCP), SMB (445/TCP), Telnet (23/TCP).
• The command-line tool thc-hydra is useful for hackers use for password spraying attacks.